Note that clearing your cookies doesn’t clear “zombie cookies”. Between Flash, your browser’s cookie system and, more recently, HTML5, you can have cookies that keep coming back and back and back.
There’s been some articles on Slashdot about this.
And yes, there are ways a web site can ID your computer with a high level of confidence via browser providable info. I wouldn’t rely on this info since it isn’t perfect. Unfortunately, web programmers don’t have the same level of standards I do. Stupidity and web site design go hand-in-hand. So some places probably do it.
That’s not (or at least, shouldn’t be) two security issues, and your password is supposed to be your only protection. If your password is good enough, you’re secure, and if it’s not, you’re not secure.
Facebook is constantly telling me that a “new device” has accessed my account. It’s ether my phone or my laptop, the only two things I access my FB account with. It’s constantly making me name them and say they’re OK. Pisses me off.
Why do you say that? My username and the state might not be as hard for a hacker to guess as my actual password, but if they are given free to a hacker (which they may be if my bank wrongly identifies the hacker’s computer as mine) that makes his job a heck of a lot easier.
And why do you think a password has to be the only protection? brazil84 apparently has to answer security questions even when his computer is identified, and then enter a password. I also have an account with another bank that requires first my name and a ‘membership’ number, then on another page, another number off my debit card, then yet another number that is generated dynamically by putting my debit card in a special reader and entering my pin. However many layers of protection that is, it is more than one. It is nonsense to say a password is “supposed” to be my only protection.
It’s not stupid. They’re not using this kind of fingerprinting as a positive form of authentication. They’re using it to detect when an account is accessed from a different device or location, and subjecting those to additional scrutiny.
Due to phishing scams, weak passwords, etc. it is a given that some accounts will be accessed with the right username and password by unauthorized persons. So they employ any number of combinations of the various means discussed here to try to fingerprint the system you customarily log in from and trigger additional security if you log in from a different computer even if you know the name and password.
Cookies are almost always used but many people disable or delete cookies so they also test location, operating system, browser version, installed plug ins and add ons, time zone and language settings, screen size and resolution, etc, etc. and make a best guess. It isn’t ever a means of logging in to the account it is just an additional layer of security if they see the login is coming from a system you normally don’t use to access the account.
In the paper at the link upthread they document their findings thus far. In the worst case they estimate something like 94% of web users have totally unique browser fingerprints, and in the best case something like 88%. It isn’t secure enough to use as a login without a name and password and whatever other information they ask for, but it is a very accurate way for them to determine if you are using a different system than you usually do to access the account. Ironically the more anti-tracking measures one takes in their browser (ad blockers, noscript, security add ons, disabling cookies, etc.) the more unique their browser fingerprint will be among the others. I have no problem with online banking checking this but at the same time it means other sites, advertisers, hackers, etc. can and probably do track it too.
So? It’s still stupid, as even now browsers are pushing towards eliminating this type of information. Heck, I know how to crudely block it myself–the only problem is that use of it is so rare that my lack of information actually identifies me.
Furthermore, unlike with cookies which are restricted by domain, I can easily set up a website that will check your data, and then, with a little know-how, set my computer to match.
Both of these aren’t really a problem yet, but it’s amazing how slow institutions tend to be about increasing security.
And then all you would have is the ability to try to log in normally, with the username/password and whatever other information they normally require. If they eliminate this practice you would need a username and password. If they use this practice you would need a username and password.
It can’t be used to compromise an account. It can only be used to add even more security if, despite already having all the required login information, the attempt is coming from an unexpected source.
It’s a case of the banks using this available information for a good reason but it leads to the obvious conclusion that it can and probably is also being used for all kinds of reasons that people who block cookies and use ad blockers think they are immune to, e.g. visit tracking, targeted advertising, sharing your browsing or ordering habits with other web sites, etc.
Institutions are absolutely using this fingerprinting technique to try to prevent fraudulent transactions. And it has moved beyond that to help advertisers to track individuals for more targeted advertising.
There are companies that specialize in this niche and the whole thing is moving along rapidly (phones too).